Monday, February 17, 2014

[net-security] Geographical passwords as a solution to the password problem

The massive data breaches that happened in the last few years have proven beyond doubt that the text password authentication method has many flaws.

Security researchers and companies that are working on alternatives to this flawed system have though of many different schemes: picture and graphics-based passwords, inkblot-based passwords, pass-thoughts, and so on. All these approaches are looking for a method for users to created passwords that will be unique and easy to remember for the user, but difficult to guess and/or break for attackers.

The latest of these attempts has been described by computer scientist Ziyad Al-Salloum of ZSS-Research in Ras Al Khaimah, UAE. He believes that "geographic" passwords are the solution to the problem (click on the screenshot to enlarge it):

This approach counts on the fact that users can more easily remember a favorite place that a complex password they chose themselves.

With this system, the user would choose a place on the map - the position of a tree he likes to rest under, a monument he likes to visit, a place where he experienced his first kiss, and so on - and draw a boundary around it.

"Selecting a geographical area can be done using different ways and shapes, a user – for example – can place a circle around his favorite mountain, or a polygon around his favorite set of trees, for an example," explains Al-Salloum.

"No matter how geographical areas are selected, the geographical information that can be driven from these areas (such as longitude, latitude, altitude, areas, perimeters, sides, angels, radius, or others) form the geographical password."

All this information is used to "calculate" the password, which then gets "salted" with a user-specific random string of characters, and all this together gets "hashed" in the end. In this way, different users will effectively never have the same password.

This type of password has many advantages: they are easy to remember and hard to forget, diverse, and hard to predict. And, according to Al-Salloum, "proposing an effective replacement of conventional passwords could reduce 76% of data breaches, based on an analysis of more than 47000 reported security incidents."http://www.net-security.org/secworld.php?id=16368